Releases: airlock/microgateway
5.0.1
Version 5.0.1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6930 Updated Go to v1.26.2, updated base images
- NEW: AM-4931 Added headers are now logged for HeaderRewrites, in the same manner as removed headers
- NEW: AM-6907 LogOnly operational mode for HeaderRewrites
- NEW: AM-6932 Log current scopes and acr values in the OIDC details
- FIX: AM-6958 Keep configured order of acr values in OIDC authorization requests
- FIX: AM-7051 Fixed slow startup of Airlock Microgateway Engine pods by reducing the SDS initial fetch timeout
4.8.6
Version 4.8.6
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6893 Updated Go to v1.26.2, updated Envoy to v1.36.5, updated base images
4.7.10
Version 4.7.10
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6890 Updated Go to v1.25.9, updated Envoy to v1.35.9, updated base images
5.0.0
Version 5.0.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features
- Step-up authentication for OIDC
- ICAP support
- Post Quantum Cryptography
- Tracing support
- Common Expression Language (CEL) for validation
- Support for Kubernetes Gateway API v1.5
- Operator no longer uses webhooks
Breaking changes
- Sidecar support is no longer available in Microgateway 5.0. Please migrate to the Gateway API. For assistance, contact order@airlock.com.
- With the removal of Sidecar support, the structure of the Helm chart values file has been updated and improved.
- Support for Kubernetes Services of type ExternalName is now disabled by default. To allow ExternalName services to be used as backend references, the features.externalNameServicesAllowed flag must be explicitly set to true in the GatewayParameters CRD.
Gateway API upgrade notes
This release adds support for Kubernetes Gateway API v1.5.
If you are upgrading both Microgateway and Gateway API, ensure that Gateway API is upgraded first.
Important
- Downgrading from Gateway API CRDs v1.5 to an earlier version is not supported
- Installing the experimental channel on a cluster where the standard channel CRDs are already installed is not supported
For more information, see Gateway API v1.5.0.
Licensing
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.
Helpful links
Deny rule changelog
- FIX: AD-489 Reduced false positives of deny rule IDOR when evaluating paths
Changelog
- NEW: AM-4481 Extend Telemetry CRD with tracing support
- NEW: AM-5988 Helm test now uses Gateway API
- NEW: AM-5989 OIDC step-up support using scopes and ACR values
- NEW: AM-6127 Access Control Metrics Dashboard
- NEW: AM-6210 BackendTLSPolicy wellknownCACertificates property now supports "microgateway.airlock.com/openShiftServiceCA", allowing the OpenShift Service CA to be used for certificate validation
- NEW: AM-6216 Set the supported Gateway API features in the Gateway Class status according to the installed Gateway API CRD version
- NEW: AM-6619 Enable TLS curve "X25519MLKEM768" (post quantum cryptography/PQC) for TLS v1.3 by default
- NEW: AM-6379 Introduced new fields in GatewayParameters to control the Gateway Service load balancer class and session affinity
- NEW: AM-6450 Remove sidecar related properties from Helm Chart values
- NEW: AM-6556 Helm chart now checks for Gateway API availability during install/upgrade by default
- NEW: AM-6587 Introduced a new LogMaskingPolicy CRD that allows configuring how sensitive request data is masked in logs. The default configuration masks credential parameters and token headers.
- NEW: AM-6590 ICAP request filtering via new ICAPPolicy CRD
- NEW: AM-6601 Include matched route name/namespace/kind in access log under airlock.route
- NEW: AM-6633 Implemented handling of misdirected requests and added OverlappingTLSConfig condition
- NEW: AM-6759 Ensure that all request conditions have been initialized
- NEW: AM-81 ICAP REQMOD support
- FIX: AM-6208 Don't reject empty bodies with JSON content-type when using HTTP/2
- FIX: AM-6380 Using Gateway API CRDs <= v1.4 (standard channel) should no longer cause 'unknown field' warnings to be logged when reconciling Gateway/GatewayClass
- FIX: AM-6517 Fixed the underlying issue preventing updates of metadata annotations of Service resources configured by GatewayParameters
- FIX: AM-6722 Allow TLS connection to Redis without client certificate
- FIX: AM-6844 Corrected server-side apply listType for HeaderRewrites custom add
- FIX: AM-6848 Corrected that HTTPRoutes attached to a Gateway listener with allowedRoutes.namespaces.selector were not reconciled upon namespace label changes
- CHG: AM-2610 Validating webhooks are replaced with API and model validations
- CHG: AM-4697 cert-manager is no longer required as a prerequisite
- CHG: AM-6206 Removed support for SidecarGateway CRD
- CHG: AM-6381 Apply header modifications for upstream response replacement
- CHG: AM-6461 Restructure values.yaml of Helm Chart
- CHG: AM-6488 On OIDC callback path redirect to '/' if session has expired
- CHG: AM-6534 Overhauled control plane logic to work without the internal EnvoyConfiguration CRD, resulting in significant operator performance improvements
- CHG: AM-6586 Ensured that sensitive information is only logged at trace level in the application logs
- CHG: AM-6704 Removed the metric "microgateway_license_health_probe_approx_rq_per_hour"
- CHG: AM-6743 Reduced operator memory usage by disabling managedFields caching
- CHG: AM-6770 Response code detail 'airlock_upstream_response_replacement' renamed to 'airlock_custom_response_upstream_replaced'
- CHG: AM-6827 Changed default port for sentinel nodes in RedisProvider CRD from 6379 to 26379
- CHG: AM-6841 Increased maximum allowed RE2 program size to 8192
- CHG: AM-6843 Reduced RegexPattern max length API validation to 256 characters
- CHG: AM-6855 ExternalName Services are no longer allowed as backends unless the new feature flag externalNameServicesAllowed is enabled in GatewayParameters
- CHG: AM-6860 Validation of controllerName Helm value is now more restrictive to ensure the unprefixed name can be used as label value
- UPD: AM-6217 Updated Gateway API to v1.5
- UPD: AM-6707 Updated Envoy to v1.37
4.8.5
Version 4.8.5
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6781 Updated Go to v1.25.8, updated base images
- FIX: AM-6809 Fixed an issue where the engine would crash if the same JWKS was fetched by two parallel requests
- CHG: AM-6841 Changed maximum RE2 program size to 8192
4.7.9
Version 4.7.9
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6780 Updated Go to v1.25.8, updated base images
- FIX: AM-6809 Fixed an issue where the engine would crash if the same JWKS was fetched by two parallel requests
- CHG: AM-6841 Changed maximum RE2 program size to 8192
4.8.4
Version 4.8.4
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6726 Updated base images
- SEC: AM-6755 Fixed request conditions not working correctly in certain scenarios if ContentSecurityPolicy is configured to unsecured
- FIX: AM-6763 Added validation to prevent invalid negative timeout configuration for external endpoints
4.7.8
Version 4.7.8
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6732 Updated base images
- SEC: AM-6755 Fixed request conditions not working correctly in certain scenarios if ContentSecurityPolicy is configured to unsecured
- FIX: AM-6763 Added validation to prevent invalid negative timeout configuration for external endpoints
4.6.10
Version 4.6.10
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6731 Updated base images
- SEC: AM-6755 Fixed request conditions not working correctly in certain scenarios if ContentSecurityPolicy is configured to unsecured
- FIX: AM-6763 Added validation to prevent invalid negative timeout configuration for external endpoints
4.8.3
Version 4.8.3
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-6701 Updated Go to v1.25.6, updated base images
- FIX: AM-6674 Reduced memory allocations in Dynamic Multi-Namespace Mode
- CHG: AM-6706 Add scheduling gate to Gateway pod to wait for secret creations first